[v5.15] KASAN: null-ptr-deref Read in do_journal_end
0 views
Skip to first unread message
syzbot
Apr 6, 2023, 10:35:43 AM4/6/23
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d86dfc4d95cd Linux 5.15.106
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1524c9b5c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=dca379fe384dda80
dashboard link: https://syzkaller.appspot.com/bug?extid=3c8d7233d04a6103ddb1
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2c159eb4fcae/disk-d86dfc4d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5f50187f87c7/vmlinux-d86dfc4d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f787f3f09c09/bzImage-d86dfc4d.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3c8d72...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline]
BUG: KASAN: null-ptr-deref in test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
BUG: KASAN: null-ptr-deref in set_buffer_uptodate include/linux/buffer_head.h:147 [inline]
BUG: KASAN: null-ptr-deref in do_journal_end+0x105d/0x4650 fs/reiserfs/journal.c:4077
Read of size 8 at addr 0000000000000000 by task kworker/0:15/5856
CPU: 0 PID: 5856 Comm: kworker/0:15 Not tainted 5.15.106-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023
Workqueue: events_long flush_old_commits
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
__kasan_report mm/kasan/report.c:438 [inline]
kasan_report+0x161/0x1c0 mm/kasan/report.c:451
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:71 [inline]
test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
set_buffer_uptodate include/linux/buffer_head.h:147 [inline]
do_journal_end+0x105d/0x4650 fs/reiserfs/journal.c:4077
reiserfs_sync_fs fs/reiserfs/super.c:78 [inline]
flush_old_commits+0x20d/0x2e0 fs/reiserfs/super.c:111
process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2306
worker_thread+0xaca/0x1280 kernel/workqueue.c:2453
kthread+0x3f6/0x4f0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
==================================================================
Kernel panic - not syncing: KASAN: panic_on_warn set ...
CPU: 0 PID: 5856 Comm: kworker/0:15 Tainted: G B 5.15.106-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023
Workqueue: events_long flush_old_commits
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
panic+0x318/0x84d kernel/panic.c:309
check_panic_on_warn+0x7e/0xa0 kernel/panic.c:229
end_report+0x6d/0xf0 mm/kasan/report.c:121
__kasan_report mm/kasan/report.c:441 [inline]
kasan_report+0x18e/0x1c0 mm/kasan/report.c:451
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:71 [inline]
test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
set_buffer_uptodate include/linux/buffer_head.h:147 [inline]
do_journal_end+0x105d/0x4650 fs/reiserfs/journal.c:4077
reiserfs_sync_fs fs/reiserfs/super.c:78 [inline]
flush_old_commits+0x20d/0x2e0 fs/reiserfs/super.c:111
process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2306
worker_thread+0xaca/0x1280 kernel/workqueue.c:2453
kthread+0x3f6/0x4f0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot found the following issue on:
HEAD commit: d86dfc4d95cd Linux 5.15.106
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1524c9b5c80000
kernel config: https://syzkaller.appspot.com/x/.config?x=dca379fe384dda80
dashboard link: https://syzkaller.appspot.com/bug?extid=3c8d7233d04a6103ddb1
compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/2c159eb4fcae/disk-d86dfc4d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5f50187f87c7/vmlinux-d86dfc4d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f787f3f09c09/bzImage-d86dfc4d.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3c8d72...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline]
BUG: KASAN: null-ptr-deref in test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
BUG: KASAN: null-ptr-deref in set_buffer_uptodate include/linux/buffer_head.h:147 [inline]
BUG: KASAN: null-ptr-deref in do_journal_end+0x105d/0x4650 fs/reiserfs/journal.c:4077
Read of size 8 at addr 0000000000000000 by task kworker/0:15/5856
CPU: 0 PID: 5856 Comm: kworker/0:15 Not tainted 5.15.106-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023
Workqueue: events_long flush_old_commits
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
__kasan_report mm/kasan/report.c:438 [inline]
kasan_report+0x161/0x1c0 mm/kasan/report.c:451
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:71 [inline]
test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
set_buffer_uptodate include/linux/buffer_head.h:147 [inline]
do_journal_end+0x105d/0x4650 fs/reiserfs/journal.c:4077
reiserfs_sync_fs fs/reiserfs/super.c:78 [inline]
flush_old_commits+0x20d/0x2e0 fs/reiserfs/super.c:111
process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2306
worker_thread+0xaca/0x1280 kernel/workqueue.c:2453
kthread+0x3f6/0x4f0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
==================================================================
Kernel panic - not syncing: KASAN: panic_on_warn set ...
CPU: 0 PID: 5856 Comm: kworker/0:15 Tainted: G B 5.15.106-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023
Workqueue: events_long flush_old_commits
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
panic+0x318/0x84d kernel/panic.c:309
check_panic_on_warn+0x7e/0xa0 kernel/panic.c:229
end_report+0x6d/0xf0 mm/kasan/report.c:121
__kasan_report mm/kasan/report.c:441 [inline]
kasan_report+0x18e/0x1c0 mm/kasan/report.c:451
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:71 [inline]
test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline]
set_buffer_uptodate include/linux/buffer_head.h:147 [inline]
do_journal_end+0x105d/0x4650 fs/reiserfs/journal.c:4077
reiserfs_sync_fs fs/reiserfs/super.c:78 [inline]
flush_old_commits+0x20d/0x2e0 fs/reiserfs/super.c:111
process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2306
worker_thread+0xaca/0x1280 kernel/workqueue.c:2453
kthread+0x3f6/0x4f0 kernel/kthread.c:319
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
</TASK>
Kernel Offset: disabled
Rebooting in 86400 seconds..
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot
Jul 16, 2023, 11:06:11 AM7/16/23
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: d54cfc420586 Linux 5.15.120
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1745d6faa80000
kernel config: https://syzkaller.appspot.com/x/.config?x=1cbb66d8f24dbb30
dashboard link: https://syzkaller.appspot.com/bug?extid=3c8d7233d04a6103ddb1
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1466441aa80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177bdd42a80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a7edb50fe106/disk-d54cfc42.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6d9892e76c6e/vmlinux-d54cfc42.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0fd11af6d33e/Image-d54cfc42.gz.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/676843ad7815/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/6122b1a1a547/mount_1.gz
mounted in repro #3: https://storage.googleapis.com/syzbot-assets/2f6d2ef17580/mount_7.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3c8d72...@syzkaller.appspotmail.com
Unable to handle kernel paging request at virtual address dfff800000000000
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff800000000000] address between user and kernel address ranges
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 3996 Comm: syz-executor152 Not tainted 5.15.120-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : arch_test_bit include/asm-generic/bitops/non-atomic.h:118 [inline]
pc : set_buffer_uptodate include/linux/buffer_head.h:147 [inline]
pc : do_journal_end+0xf7c/0x3c50 fs/reiserfs/journal.c:4077
lr : __getblk include/linux/buffer_head.h:416 [inline]
lr : do_journal_end+0xf74/0x3c50 fs/reiserfs/journal.c:4074
sp : ffff80001cb975f0
x29: ffff80001cb97750 x28: ffff0000d78b8678 x27: 1ffff00003bbb20b
x26: 0000000000000000 x25: 0000000000000000 x24: ffff0000dcc3b017
x23: ffff0000d78b8018 x22: ffff80001ddd9040 x21: 0000000006393dfe
x20: ffff0000c058d240 x19: dfff800000000000 x18: ffff80001cb96900
x17: ff8080000889b904 x16: ffff80000824cbf4 x15: ffff800008a089e8
x14: 1ffff0000291e06a x13: ffffffffffffffff x12: 0000000000000000
x11: ff80800008a6a4c4 x10: 0000000000000000 x9 : ffff800008a6a4c4
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000008 x3 : ffff800008a705b8
x2 : 0000000000000001 x1 : 0000000000000003 x0 : 0000000000000000
Call trace:
__getblk include/linux/buffer_head.h:416 [inline]
do_journal_end+0xf7c/0x3c50 fs/reiserfs/journal.c:4074
journal_end_sync+0x164/0x1d0 fs/reiserfs/journal.c:3533
reiserfs_sync_fs+0xd4/0x150 fs/reiserfs/super.c:78
sync_filesystem+0xe8/0x218 fs/sync.c:56
generic_shutdown_super+0x70/0x29c fs/super.c:448
kill_block_super+0x70/0xdc fs/super.c:1405
reiserfs_kill_sb+0x134/0x14c fs/reiserfs/super.c:570
deactivate_locked_super+0xb8/0x13c fs/super.c:335
deactivate_super+0x108/0x128 fs/super.c:366
cleanup_mnt+0x3c0/0x474 fs/namespace.c:1143
__cleanup_mnt+0x20/0x30 fs/namespace.c:1150
task_work_run+0x130/0x1e4 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
do_notify_resume+0x262c/0x32b8 arch/arm64/kernel/signal.c:946
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:133 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:138 [inline]
el0_svc+0xfc/0x1f0 arch/arm64/kernel/entry-common.c:597
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: f81b03b7 97f60470 d343fc08 aa0003fa (38736908)
---[ end trace f3d2883a97d76a0e ]---
----------------
Code disassembly (best guess):
0: f81b03b7 stur x23, [x29, #-80]
4: 97f60470 bl 0xffffffffffd811c4
8: d343fc08 lsr x8, x0, #3
c: aa0003fa mov x26, x0
* 10: 38736908 ldrb w8, [x8, x19] <-- trapping instruction
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: d54cfc420586 Linux 5.15.120
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1745d6faa80000
kernel config: https://syzkaller.appspot.com/x/.config?x=1cbb66d8f24dbb30
dashboard link: https://syzkaller.appspot.com/bug?extid=3c8d7233d04a6103ddb1
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1466441aa80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=177bdd42a80000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a7edb50fe106/disk-d54cfc42.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6d9892e76c6e/vmlinux-d54cfc42.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0fd11af6d33e/Image-d54cfc42.gz.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/676843ad7815/mount_0.gz
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/6122b1a1a547/mount_1.gz
mounted in repro #3: https://storage.googleapis.com/syzbot-assets/2f6d2ef17580/mount_7.gz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3c8d72...@syzkaller.appspotmail.com
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
[dfff800000000000] address between user and kernel address ranges
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 3996 Comm: syz-executor152 Not tainted 5.15.120-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : arch_test_bit include/asm-generic/bitops/non-atomic.h:118 [inline]
pc : set_buffer_uptodate include/linux/buffer_head.h:147 [inline]
pc : do_journal_end+0xf7c/0x3c50 fs/reiserfs/journal.c:4077
lr : __getblk include/linux/buffer_head.h:416 [inline]
lr : do_journal_end+0xf74/0x3c50 fs/reiserfs/journal.c:4074
sp : ffff80001cb975f0
x29: ffff80001cb97750 x28: ffff0000d78b8678 x27: 1ffff00003bbb20b
x26: 0000000000000000 x25: 0000000000000000 x24: ffff0000dcc3b017
x23: ffff0000d78b8018 x22: ffff80001ddd9040 x21: 0000000006393dfe
x20: ffff0000c058d240 x19: dfff800000000000 x18: ffff80001cb96900
x17: ff8080000889b904 x16: ffff80000824cbf4 x15: ffff800008a089e8
x14: 1ffff0000291e06a x13: ffffffffffffffff x12: 0000000000000000
x11: ff80800008a6a4c4 x10: 0000000000000000 x9 : ffff800008a6a4c4
x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000008 x3 : ffff800008a705b8
x2 : 0000000000000001 x1 : 0000000000000003 x0 : 0000000000000000
Call trace:
__getblk include/linux/buffer_head.h:416 [inline]
do_journal_end+0xf7c/0x3c50 fs/reiserfs/journal.c:4074
journal_end_sync+0x164/0x1d0 fs/reiserfs/journal.c:3533
reiserfs_sync_fs+0xd4/0x150 fs/reiserfs/super.c:78
sync_filesystem+0xe8/0x218 fs/sync.c:56
generic_shutdown_super+0x70/0x29c fs/super.c:448
kill_block_super+0x70/0xdc fs/super.c:1405
reiserfs_kill_sb+0x134/0x14c fs/reiserfs/super.c:570
deactivate_locked_super+0xb8/0x13c fs/super.c:335
deactivate_super+0x108/0x128 fs/super.c:366
cleanup_mnt+0x3c0/0x474 fs/namespace.c:1143
__cleanup_mnt+0x20/0x30 fs/namespace.c:1150
task_work_run+0x130/0x1e4 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
do_notify_resume+0x262c/0x32b8 arch/arm64/kernel/signal.c:946
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:133 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:138 [inline]
el0_svc+0xfc/0x1f0 arch/arm64/kernel/entry-common.c:597
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:614
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: f81b03b7 97f60470 d343fc08 aa0003fa (38736908)
---[ end trace f3d2883a97d76a0e ]---
----------------
Code disassembly (best guess):
0: f81b03b7 stur x23, [x29, #-80]
4: 97f60470 bl 0xffffffffffd811c4
8: d343fc08 lsr x8, x0, #3
c: aa0003fa mov x26, x0
* 10: 38736908 ldrb w8, [x8, x19] <-- trapping instruction
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages